https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95916#M19967 <P>I am trying to index a UNC Path, but am unable to use wildcards.. </P> <P>Here's what I"m trying to match</P> <PRE><CODE>\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG </CODE></PRE> <P>I don't want to match this</P> <PRE><CODE>\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG </CODE></PRE> <P>The manual indicates I could use *, but am having no luck.. Have tried this..</P> <PRE><CODE>\\IISLOGS\MYSERVER* \\IISLOGS\MYSERVER*\ </CODE></PRE> <P>NO indexing at all occurs if I do this..</P> Thu, 05 May 2011 19:19:48 GMT richnavis 2011-05-05T19:19:48Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95916#M19967 <P>I am trying to index a UNC Path, but am unable to use wildcards.. </P> <P>Here's what I"m trying to match</P> <PRE><CODE>\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG </CODE></PRE> <P>I don't want to match this</P> <PRE><CODE>\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG </CODE></PRE> <P>The manual indicates I could use *, but am having no luck.. Have tried this..</P> <PRE><CODE>\\IISLOGS\MYSERVER* \\IISLOGS\MYSERVER*\ </CODE></PRE> <P>NO indexing at all occurs if I do this..</P> Thu, 05 May 2011 19:19:48 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95916#M19967 richnavis 2011-05-05T19:19:48Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95917#M19968 <P>Your examples seem a bit odd to me, but to match your .LOG files in your example you would use</P> <PRE><CODE>\\IISLOGS\MYSERVER01\W3SVC01\*.LOG </CODE></PRE> <P>[EDIT]<BR /> You could use the wildcard as such:</P> <PRE><CODE>\\IISLOGS\MYSERVER*\W3SVC01\*.LOG </CODE></PRE> Thu, 05 May 2011 19:51:12 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95917#M19968 ftk 2011-05-05T19:51:12Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95918#M19969 <P>Sorry... need to clarify my example. Was hoping not to have a seperate entry for each server..<BR /> Need to match the following..</P> <PRE><CODE>\\IISLOGS\MYSERVER01\W3SVC01\EX10.LOG \\IISLOGS\MYSERVER02\W3SVC01\EX10.LOG \\IISLOGS\MYSERVER03\W3SVC01\EX10.LOG \\IISLOGS\MYSERVER04\W3SVC01\EX10.LOG \\IISLOGS\MYSERVER05\W3SVC01\EX10.LOG </CODE></PRE> <P>Don't want to match..</P> <PRE><CODE>\\IISLOGS\YOURSERVER01\W3SVC01\EX10.LOG </CODE></PRE> Thu, 05 May 2011 20:04:43 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95918#M19969 richnavis 2011-05-05T20:04:43Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95919#M19970 <P>I updated my answer, basically just use more wildcards.</P> Thu, 05 May 2011 20:39:08 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95919#M19970 ftk 2011-05-05T20:39:08Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95920#M19971 <P>Have you considered just eating \IISLOGS and using<BR /> _blacklist = YOURSERVER</P> <P><A href="http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata">http://www.splunk.com/base/Documentation/latest/Data/Whitelistorblacklistspecificincomingdata</A></P> Thu, 05 May 2011 20:54:27 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95920#M19971 Michael_Wilde 2011-05-05T20:54:27Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95921#M19972 <P>Awesome.. I could not get it to work using wildcards in the path, but using a WHITELIST, it worked perfectly... </P> <P>.*MYSERVER.*</P> <P>Thanks for the help!</P> Thu, 05 May 2011 23:37:15 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95921#M19972 richnavis 2011-05-05T23:37:15Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95922#M19973 <P>Update: Did NOT work as expected... When creating a SECOND input for the same path for the second set of servers, I got a message indicating that I could not create an input with the same name.. </P> <P>This seems like pretty basic functionality.. Essentially, I want to create multiple indexes with files with a common path.. </P> Fri, 06 May 2011 01:25:17 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95922#M19973 richnavis 2011-05-06T01:25:17Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95923#M19974 <P>Splunk only lets you monitor a directory once. What is your scheme for determining what data goes in which index?</P> Fri, 06 May 2011 01:36:51 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95923#M19974 Michael_Wilde 2011-05-06T01:36:51Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95924#M19975 <P>We should be able to use your existing singular whitelist to eat the directory, but exclude everything other than your server, as you have done.</P> <P>Then.. create two files in the same dir called "props.conf" &amp; "transforms.conf" (assuming you're in the $SPLUNK_HOME/etc/apps/search/local directory<BR /> in props.conf, we can choose how events get selected and are processed by "transforms.conf". Transforms.conf will make our "index-switching" happen on the fly. Just tested it locally, seems to work just fine.</P> <H1>PROPS.CONF</H1> <PRE><CODE>[source::...Order...] TRANSFORMS-moveorders = toIndex1 [source::...Product...] TRANSFORMS-moveproducts = toIndex2 [source::...Customer...] TRANSFORMS-movecustomers = toIndex3 </CODE></PRE> <H1>TRANSFORMS.CONF</H1> <PRE><CODE>[toIndex1] DEST_KEY = _MetaData:Index REGEX = . FORMAT = Index1 [toIndex2] DEST_KEY = _MetaData:Index REGEX = . FORMAT = Index2 [toIndex3] DEST_KEY = _MetaData:Index REGEX = . FORMAT = Index3 </CODE></PRE> Fri, 06 May 2011 04:01:39 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95924#M19975 Michael_Wilde 2011-05-06T04:01:39Z https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95925#M19976 <P>Finally able to get this to work. Ended up deleting all the configuration on my server and recreating it, so potentially their was something conflicting? Anyway, just wanted to close the loop on this, showing that you can wildcard in your inputs.conf file without using transforms... Here's three examples of syntax I used for the monitor headers that WORKED.</P> <P>[monitor://\ServerLogs\prod\prod-iislogs\HS1WS*...]</P> <P>[monitor://\ServerLogs\prod\prod-iislogs\HS2WS*...]</P> <P>[monitor://\ServerLogs\prod\prod-iislogs\SI1WS*...]</P> Mon, 09 May 2011 16:45:01 GMT https://community.splunk.com/t5/Getting-Data-In/Are-Wildcards-supported-for-use-with-UNC-Paths/m-p/95925#M19976 richnavis 2011-05-09T16:45:01Z